A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by any one of the patent disclosures, as it appears in the U.S. Patent and Trademark Office patent files or records, but otherwise reserves all copyright rights whatsoever.
The present invention generally relates to distributed computing systems, and more specifically relates to performing a disconnect policy in a distributed computing system.
A distributed computing system is a system having resources that are physically distributed among different locations. In general, the resources that make up a distributed computing system include information and data, which may be in many forms and formats, and various hardware and software components that are used to access, manage, manipulate and process the information and data.
One approach to implementing a distributed computing system is through the use of a network system. In general, a network system is a collection of computers and other peripheral devices that are connected in a manner that enables them to communicate with each other. The computers and other peripheral devices typically include software and hardware components that allow information and data to be distributed throughout the network.
Many network systems provide mechanisms that allow them to be remotely accessed. By allowing remote access, individuals can connect to the network system to access resources and obtain information while being located at a remote site.
A popular method of providing remote access to a network is through the use of a dial-in network access server (NAS) that controls access to the network. For example, model AS5300, commercially available from Cisco Systems Inc., can be used to provide dial-in access to a network system. Individuals can access the network system by dialing into the network access server from a Remote Node to establish a connection. In this document, the term Remote Node refers to any client device, such as a personal computer (PC) or router, that can be used to dial in and establish a connection with a network access server. A client/server relationship exists between the Remote Node and the network access server.
For example, many home and office computers are equipped or have access to a modem that can be used to establish a dial-in connection with a NAS. These dial-in connections may be made using one of the Internet""s standard dial-in protocols, either the Point-to-Point Protocol (PPP) or the Serial Line Internet Protocol (SLIP). To establish a connection with a particular NAS, a user interacts with the computer to cause a modem to dial into the particular NAS. As part of the dial in process, identification information, such as a user name and password, is provided to the NAS. The NAS validates the login information, and if it is valid, the NAS establishes a xe2x80x9csessionxe2x80x9d for the particular user. In this context, a session is a specific connection that has been established for a particular user between a Remote Node and a server and which provides access to a network system. Thus, once a session is established, the user can access resources and obtain information that is associated with the network system.
In general, it is important to be able to control and monitor the users or group of users that are able to login and establish a session with an NAS. For example, Internet Service Providers (ISPs) allow customers to log in and establish sessions with an NAS in order to obtain access to resources that are available on the Internet. Several ISPs and xe2x80x9cOnline Services,xe2x80x9d such as America Online(copyright) and CompuServe(copyright), also provide their customers with access to proprietary information (such as proprietary databases and forums) and other online services that are available through their NAS connections. For providing access to these resources, the ISPs and Online Services charge their customers a connection fee that may be on an hourly connection or monthly flat lee basis. Thus because their revenue is dependent on the fees that are paid by their customers, the ISPs and Online Services need to monitor and control the users or group of users who are able to log in and establish a session with one of their NASs.
To reduce loads and better serve their customers, the ISPs and Online Services may provide a large number of NASs to which customers can dial in to establish a session . In addition, because their customers may not be confined to particular region, many ISPs and Online Services have distributed their NASs throughout the world. A benefit of distributing the NASs is that a significant number of customers are able dial in and establish a session by a local call. Thus, the customers are not required to make long distance calls to establish a session with a NAS, nor are the ISPs and Online Services required to provide an xe2x80x9c800xe2x80x9d number in order to reduce their customer""s connection costs.
However, a drawback of providing multiple NASs for connecting to a network is that it can be difficult to control actual the number of sessions that are to be allowed for a particular user or group of users. One method of controlling the number of sessions that a particular user or group of users can establish is by maintaining a global count as to the total number of sessions that are currently active for a particular user or group of users. For example, by designating a particular NAS as the Central Authenticator, a global count of the total number of sessions that are currently established for a particular user or group of users can be maintained. Thus, before a NAS can establish a session for a particular user or group of users, it must first communicate with the Central Authenticator to determine whether the total number of allocated sessions have already been established for the particular user or group of users. If the Central Authenticator determines that the total number of allocated sessions have already been established for the particular user or group of users, then the connection request is denied. Alternatively, if Central Authenticator determines that the total number of allocated sessions have not yet been established, then the connection request is granted.
However, always having to communicate with a Central Authenticator to determine whether a connection request should be granted has a drawback, namely that if the Central Authenticator crashes or communication to the Central Authenticator is lost, a user or group of users may be denied a session even though the total number of allocated sessions have not yet been established (xe2x80x9cunder-subscriptionxe2x80x9d).
For example, a company xe2x80x9cAxe2x80x9d, which has employees located in five (xe2x80x9c5xe2x80x9d) cities (San Diego, Los Angeles, San Jose, San Francisco and Irvine) may have a total of one hundred (xe2x80x9c100xe2x80x9d) sessions allocated for its employees, but may have only twenty-five (xe2x80x9c25xe2x80x9dsessions that are currently active. By locating a NAS in each of the five cities, the employees of company xe2x80x9cAxe2x80x9d can dial into a local NAS to request a session. Upon receiving the request, the NAS may communicate with the Central Authenticator to verify that a session can be established for the employee. However, if the Central Authenticator has crashed or the communication link between the local NAS and the Central Authenticator has failed, there is no way to determine that a session should be established for the particular employee. Thus, the session request cannot be granted and the employee will be denied access to the network, even though the total number of sessions that are active for the employees of company xe2x80x9cAxe2x80x9d (xe2x80x9c25xe2x80x9d) is less than the total number of allocated sessions (xe2x80x9c100xe2x80x9d) (xe2x80x9cunder-subscriptionxe2x80x9d). In this context, a communication link failure includes but is not limited to any type of hardware or software failure that impedes or obstructs two components from communicating with one another.
One approach to avoiding under-subscription is to implement a xe2x80x9chotxe2x80x9d backup system in which a backup Central Authenticator is used to mirror the primary Central Authenticator. Thus, whenever the primary Central Authenticator becomes unavailable, a NAS may communicate with the backup Central Authenticator to obtain authorization for establishing a session.
However, a significant drawback with a xe2x80x9chotxe2x80x9d backup system is that it can require a substantial amount of additional hardware and may require a significant increase in the complexity of the communication logic. The additional hardware components and added communication logic can significantly increase the cost of the system. For example to implement a hot backup system, a second Central Authenticator (backup) is needed. This in itself can significantly increase the cost of the system.
In addition, in order to integrate the backup Central Authenticator into the system, each NAS needs additional communication links to communicate with the backup Central Authenticator in case of a failure. Thus, additional hardware and communication logic will also need to be added to each NAS. Further, the added communication links can potentially reduce the reliability of the system as the added links are just as likely to go down as the communication links to the primary Central Authenticator. Furthermore, additional logic will need to be added to the primary and backup Central Authenticators to keep them synchronized.
Another approach to reducing under-subscription is to enable each NAS to establish the total number of sessions that have been allocated for a user of group of users. Thus, if a particular NAS crashes, the other NASs can still authorize up to the maximum number of sessions that have been allocated. In addition, if the communication link between two NASs goes down, authorization of sessions is not affected.
For example, the NASs that are located in each of the five cities (San Diego, Los Angeles, San Jose, San Francisco and Irvine) may each be allowed to authorize and actively establish one hundred (xe2x80x9c100xe2x80x9d) sessions for the employees of company xe2x80x9cAxe2x80x9d. By having each local NAS maintain its own counter of the number of sessions that are currently active for the employees of company xe2x80x9cAxe2x80x9d, the NASs need not communicate with a Central Authenticator before a session can be authorized. Thus, if the San Jose NAS crashes, the other NASs are not affected, as they may still authorize the total number of sessions that are allocated for the employees of company xe2x80x9cAxe2x80x9d. Also, if a communication link between the San Jose NAS and the Irvine NAS goes down, the San Jose NAS and the Irvine NAS may each still authorize the total number of sessions.
However, providing each NAS with the ability to establish the total number of sessions that have been allocated for a particular user of group of users has a drawback. A number of sessions may be actively established for the particular user or group of users that is greater than is actually allocated (xe2x80x9cover-subscriptionxe2x80x9d). For example, the employees of company xe2x80x9cAxe2x80x9d, who are located throughout the five cities may require that a total of 100 sessions be allocated for use. If a NAS is located in each of the 5 cities, and each NAS allows a total of 100 sessions to be established by the employees of company xe2x80x9cAxe2x80x9d, then a total of 500 sessions may actively be established by the employees of company xe2x80x9cAxe2x80x9d (five NASxc3x97100 sessions per NAS). Thus, by providing each NAS with the ability to authorize the total number of sessions that are allocated for company xe2x80x9cAxe2x80x9d, a large number of unauthorized sessions may be established (400 in this example). These unauthorized sessions potentially represent a significant amount of unrealized revenue. In addition, because only a limited number of connections can be made with any one NAS, allowing a large number of unauthorized sessions to be established can significantly reduce the number of authorized sessions that can be established at one time.
Based on the foregoing, there is a clear need for a recovery mechanism that does not require the use of backup servers or redundant servers.
There is also a need for a recovery mechanism that can reduce the number of times that a particular user or group of users are denied a session, even though the system has not yet established the total number of active sessions that have been allocated to the particular user or group of users.
In addition, there is also a need for a recovery mechanism that can reduce the number of unauthorized sessions that arc allowed for a particular user or group of users.
The foregoing needs, and other needs and objects that will become apparent from the following description, are achieved in the present invention, which comprises, in one aspect, a method for dealing with and recovering from failures in a distributed database system. The method may comprise determining that a second server cannot communicate with a third server that is normally responsible for authorizing the session. A request is received to establish a session for a particular entity associated with the client. It is determined whether the third server is an authoritative server for the entity. If the third server is the authoritative server for the entity, then it is determined at the second server whether the session should be established for the entity.
One feature of this aspect is that if the second server determines that the session should be established, then the first server is informed that the session may be established between the client and the first server.
Another feature of this aspect is that if the second server determines that the session should not be established, then the first server is informed that the session may not be established between the client and the first server.
Still another feature of this aspect includes the steps of storing and maintaining data that is associated with the second server. The data includes a local session established counter value that indicates a first number obsessions that have been authorized for the particular entity by the second server and which are still currently active, and an allocated sessions threshold value that indicates a second number of sessions that have been allocated for the particular entity.
Yet another feature of this aspect includes the steps of storing and maintaining data that is associated with the second server. The data includes, a local session counter value that indicates a third number of sessions that are currently active for the particular entity, and a local session threshold value that indicates a fourth number of sessions that may be currently active before sessions cannot be authorized locally by the second server.
According to another feature a method is provided for authorizing a data communication session between a client and a first server. After a failure, the method determines that a second server and a third server cannot communicate. One or more sessions that were authorized by the second server and which arc currently active for a particular entity are identified. The third server is assigned as an authoritative server for the particular entity. A global session counter value that indicates a first number of sessions that arc currently active for the particular entity is calculated. The global session counter value does not include the one or more sessions that have been authorized by the second server and which are currently active for the particular entity. Upon receiving a request to authorize a session for the particular entity the method determines whether the session should be established by comparing the global session counter value with a global session threshold value. The global session threshold indicates a second number of sessions that have been allocated for the particular entity.
According to yet another feature, a method for broadcasting session information to one or more servers is provided, comprising the computer-implemented steps of determining, after a failure, that a first server cannot communicate with a second server. One or more sessions that were authorized by the second server and which are currently active for a particular entity are identified. The first server is assigned as an authoritative server for the particular entity. A global session counter value that indicates a first number of sessions that are currently active for the particular entity is calculated. The global session counter value does not include the one or more sessions that have been authorized by the second server and which are currently active for the particular entity. The method determines whether one or more other servers have previously authorized sessions for the particular entity; and if one or more other servers have previously authorized sessions for the particular entity, then the one or more other servers are informed of the calculated global session counter value.
The invention also encompasses a computer-readable medium, a computer data signal embodied in a carrier wave, and an apparatus configured to carry out the foregoing steps.